Re: [Rd] Scanning a R script for potentially insidious commands

From: Joris Meys <jorismeys_at_gmail.com>
Date: Wed, 19 Dec 2012 12:39:21 +0100

The safest way to prevent attacks using an R connector, is managing the permissions for the application on your own server. We do that with the RStudio Server application we have running. You have to take into account that R allows for many interactions with the system. Also file(), dir(), unlink() and all sys. functions have the potential to screen and possibly alter your system. Not only system() and eval() pose a security problem...

How to do this exactly, depends very much on both the server and OS settings and the specific R connector you use/build. But don't count on R alone to provide safety.

Cheers
Joris

On Wed, Dec 19, 2012 at 12:28 PM, Michael Weylandt < michael.weylandt_at_gmail.com> wrote:

>
>
> On Dec 18, 2012, at 12:48 PM, Etienne SÚvin <e.sevin_at_epiconcept.fr> wrote:
>
> > Hey all,
> >
> > We are building a R connector for our web application.
> > The user can upload a script so it can be executed on the server.
> >
> > Is there a way to scan the script for insidious commands (writing on the
> > disk for example) and purge them out?
>
> Completely, not that I know of: but grepping for system() and eval()
> should catch a majority of red flags.
>
> Michael
>
> > I guess a simple search is not enough so is there a way to analyse the
> > pseudo code?
> >
> > Best,
> >
> > Etienne
> >
> > ______________________________________________
> > R-devel_at_r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
>
> ______________________________________________
> R-devel_at_r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>

-- 
Joris Meys
Statistical consultant

Ghent University
Faculty of Bioscience Engineering
Department of Mathematical Modelling, Statistics and Bio-Informatics

tel : +32 9 264 59 87
Joris.Meys_at_Ugent.be
-------------------------------
Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php

	[[alternative HTML version deleted]]


______________________________________________ R-devel_at_r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel

Received on Wed 19 Dec 2012 - 11:42:31 GMT

This quarter's messages: by month, or sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

All messages

Archive maintained by Robert King, hosted by the discipline of statistics at the University of Newcastle, Australia.
Archive generated by hypermail 2.2.0, at Wed 19 Dec 2012 - 12:52:38 GMT.

Mailing list information is available at https://stat.ethz.ch/mailman/listinfo/r-devel. Please read the posting guide before posting to the list.

list of date sections of archive